Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1479
Views
0
Helpful
8
Replies

I need 172.X.X.X (this is in DMZ) to reach port 53 of the dns server at 172.X.X.X (this is in Inside) on the Cisco ASA. Please help me with the command.

SeshiBhush
Level 1
Level 1

‎11-01-2011 05:43 AM - edited ‎03-07-2019 03:09 AM

I need 172.X.X.X (this is in DMZ) to reach port 53 of the dns server at 172.X.X.X (this is in Inside) on the Cisco ASA. Please help me with the command.

Labels:
0 Helpful
8 Replies 8

Ton V Engelen
Level 3
Level 3

‎11-01-2011 06:07 AM

access-list DMZ-OUT extended permit udp host 172.x.x.x  host 172.x.x.x eq 53

or

access-list DMZ-OUT extended permit udp 172.x.x.x  255.255.x.x 172.x.x.x 255.255.x.x eq 53

0 Helpful

SeshiBhush
Level 1
Level 1
In response to Ton V Engelen

‎11-01-2011 06:30 AM

Thank you Ton

I entered "access-list DMZ_in extended permit tcp host 172.X.X.X host 172.X.X.X eq domain" as the DNS is on the Inside interface but I could not see any hit count.

Anything I need to change?

0 Helpful

Ton V Engelen
Level 3
Level 3
In response to SeshiBhush

‎11-01-2011 06:40 AM

Do you have an access group on your inside interface to activate the acl? 

Something like:

access-group DMZ_in in interface inside

It might be wise to post part of your config to have a better understanding how things are routed to.

0 Helpful

SeshiBhush
Level 1
Level 1
In response to Ton V Engelen

‎11-01-2011 07:44 AM

172.16.239.29 (Host on DMZ) should communicate with 172.16.230.54 (DNS on Inside Interface) on port 53:

Here is some part of the relevant configuration:

name-server napridc01
-------------------------------------------
object-group network ADServers
network-object napridc01 255.255.255.255
network-object napridc02 255.255.255.255
network-object host napridc03
-------------------------------------------
object-group network localTimeServers
network-object host napridc01
network-object host napridc02
-------------------------------------------
NAPRIFWL01# sh run | include 172.16.239.29
access-list DMZ_in extended permit tcp host 172.16.239.29 host 172.16.230.54 eq domain
static (DMZ,Outside) 209.242.68.29 172.16.239.29 netmask 255.255.255.255
-------------------------------------------
NAPRIFWL01# sh run | include 172.16.230.54
access-list DMZ_in extended permit tcp host 172.16.239.35 host 172.16.230.54 eq domain
access-list DMZ_in extended permit tcp host 172.16.239.29 host 172.16.230.54 eq domain
aaa-server VPNEUAD_Auth (Inside) host 172.16.230.54
dns-server value 172.16.230.54

0 Helpful

Ton V Engelen
Level 3
Level 3
In response to SeshiBhush

‎11-01-2011 07:49 AM

I see that you use tcp for permitting port 53. Try and test this with udp, could be thats your issue.

0 Helpful

SeshiBhush
Level 1
Level 1
In response to Ton V Engelen

‎11-01-2011 08:05 AM

Thank you, I will try and let you know. Thanks for the help Ton..

0 Helpful

Ton V Engelen
Level 3
Level 3
In response to SeshiBhush

‎11-01-2011 08:20 AM

Good luck

What you could do to test your current config:

do a telnet from the server in the dmz to the dns server on port  53 > telnet 172.16.230.54 53 (from a dosbox)

If you see a hit, you know that the acl is working for tcp on port 53.

Then you can create an acl entry which then permits dns for udp on port 53.

If you dont get a hit, there is a routing or NAT issue.

0 Helpful

SeshiBhush
Level 1
Level 1
In response to Ton V Engelen

‎11-01-2011 08:37 AM

Gotcha.. thank you..

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card